The invention relates generally to computer systems and networks, and more particularly to an improved method and system for implementing policy for users and computers.
Lost productivity at employees"" computer desktops is a major cost for corporations, often resulting from user errors such as modifying system configuration files in ways that render the computer unworkable. Productivity is also lost when a computer desktop is too complex, such as when the desktop has too many non-essential applications and features thereon. At the same time, much of the expense of administering distributed personal computer networks is spent at the desktop, performing tasks such as fixing the settings that the user has incorrectly or inadvertently modified.
As a result, enterprises such as corporations have established policies seeking to define settings for computer users. For example, a corporation may wish to have the same e-mail and word processing program on all their users"" desktops, while certain users such as those in the engineering group have a common CAD program not available to users in the finance group. Another policy may selectively prevent a user from connecting to the Internet by writing information into the user""s machine registry to prevent access. Centralized policy systems exist to allow an administrator some control over the settings that institute such policies, and provide benefits in scalability to assist in the administration of larger networks. For example, in networks organized into domains, (such as with Microsoft(copyright) Windows NT(copyright) 4.0), such policies may be applied per domain, based on each domain user""s membership in a security group.
However, there are a number of drawbacks present with existing policy systems. One such drawback is that the policies are essentially static, whereby a user can change the settings and simply avoid the policy. It is cost prohibitive to have an administrator or the like go from machine to machine to check the settings on a regular basis. It is possible to force mandatory profiles on a user at each log-on based on the user""s group membership. However such mandatory profiles are too inflexible, in that essentially all settings made by an individual user are lost whenever the user logs off. For example, with mandatory profiles, customizations to a desktop, such as window placement, adding words to a user""s spell checker and the like, which most enterprises would consider permissible and even desirable because they tend to increase an employee""s efficiency, are lost when the user logs off.
Another significant drawback results from relying on a security group membership to determine the settings, particularly in that one group (the first group found for a user) determines that user""s settings. Thus, if a user is a member of both the engineering and financial groups, the user will get only one set of policy settings. Present policy-determination systems, such as those basing policy on the domain plus membership in a security group, essentially follow a flat model, which does not fit well with a typical enterprise having a hierarchical organizational structure.
Briefly, the present invention provides a system and method for implementing policy for users and computers. Policy settings are placed into group policy objects, and each of the policy objects may be associated with one or more containers, such as hierarchically-organized directory objects (containers), e.g., a domain, site or organizational unit. Based upon administrator input, settings from policy objects are accumulated and associated with a policy recipient, whereby users"" computers and the like receive the accumulated policy. To accumulate policy, the settings of group policy objects associated with directory containers may be inherited, e.g., the group policy settings may be inherited from directory containers hierarchically above a policy recipient. The administrator may enforce inheritance on some of the policy objects and/or block the inheritance of policy objects associated with other containers. The administrator""s input also orders the group policy objects, whereby any conflicts are resolved by the ordering precedence, i.e., the policy""s relative strength. Policy may be applied to a recipient by layering the policy settings, based on the ordering, weakest first such that strongest settings overwrite weaker settings, or by seeking policy information from the strongest to weakest policy until the desired policy is located.
A number of very flexible conditions based on an Active Directory hierarchy may be included. By default, an object""s parent container in the hierarchy is the strongest factor, but other containers to the parent may affect an object""s policy, and by default, group policy affects each of the computers and users in a selected active directory container. A default inheritance evaluates group policy starting with the active directory container that is furthest away, whereby the Active Directory container closest to the computer or user has the ability to override policy set in a higher level container, in the order of Site, Domain, Organizational Unit or Units (SDOU). Moreover, there is provided an option to block inheritance of policy from higher parent containers, however there are also options that allow policy of a specific group policy object to be enforced so that group policy objects in lower level containers cannot override the policy settings of higher level containers, i.e., an enforced option takes precedence. In addition, the effects of group policy may be filtered based on users or computers"" membership in a security group.
Other advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which: